Richard, as CTO for JLL where does Cyber Security fit in your priorities?
JLL take the threat of Cyber Security very seriously and over the past 18 months JLL has placed an increased level of importance on Cyber Security, to the level where we have formed a regional CISO (matrix to managed to both our Global CISO and myself).
As result of the increased risk of Cyber threats across the globe, JLL have significantly invested in skilled resources, 3rd party services, education and tools to better enhance our environment.
I was impressed to see that earlier this year, there was a JLL article – Defining Cyber Security – the impact on commercial real estate portfolio. I’ve not seen this kind of broad analysis before, can you comment on this?
This document has been produced to assist and provide a level of re-assurance to our clients (who include Government agencies and leading Financial Services institutions) that JLL understands the threats and associated risks with Cyber Security. We outline guidelines of implementing a robust program, both physical and logical - to protect against such security threats.
Working across a number of markets in Asia Pacific, where does your business face the greatest threats?
What we are seeing across the region is that it is not one specific country being "hacked" more than another - but what we are seeing that the cyber criminals are looking for general weaknesses in our environment.
Given this our biggest exposure are our staff, and how many of them still do not believe security is their responsibility. We continue to educate them, but often its not until they are personally impacted by an attack that they take security and the risk of cyber threats seriously.
What’s your view on the gap that Boards have around Cyber Security. Are there specific areas that they need to focus on?
I personally believe that due to the recent highly publicised cyber breaches around the world and resulting CEO resignations. Definitely have seen an increased interest by the JLL board, with respect to Cyber Security, with additional funding and headcount being approved and regular updates and compliance reports being submitted to the board for their review and action.
On the flip side, and while improving, we are still have work to do in instilling that same level of vigilance by many of our staff.
We are seeing more enterprises move into the cloud, what’s your view on managing these threats?
JLL is committed, and today actively managing, a hybrid cloud strategy. In addressing the security concerns, there is a general feeling that our data may in-fact be safer in the cloud.
As the Cloud vendors understand that security is one of the biggest concerns their client have in moving to the cloud and to address this they have invested heavily (more than I could ever do) in ensuring that they have the best people, process and technology to protect, detect and respond against possible attacks.
Actually, one of the biggest concerns that need to be addressed is not so much on cyber attacks but to privacy laws and where the data is being held - and the rights governments have to access that data - whether through legal or illegal means. Given this, I see most Companies still prefer to keep their highly sensitive data (IP etc) in a secured on-premise environment.
Have you been tracking the new advanced attacks Business Email Compromise (BEC)?
Yes, we have been watching, and are seeing an increase in BEC attacks at JLL.
While the Technology team are doing its best to detect and block such email requests before they enter the JLL network - we still do see such requests infiltrating our environment - emails sent, supposedly sent by our CEO, COO and CFOs to Finance and Account Mgt staff requesting for urgent release of funds et.
Fortunately, JLL has a strict financial approval process and staff all know that such requests would never be made outside the process, but it certainly doesn’t stop the criminals from trying.
We have seen a significant increase in these types of attacks over the past six months and we continually to educate our staff to stay vigilant against such requests.
I’m interested to understand your view on Cyber Security Insurance. Is it critical or is this just a crutch?
My personal view, it is a crutch. It is my personal view is that the best "insurance" a Company can take against protecting against Cyber crime is to invest in educating all staff that they have personal responsibility in protecting themselves and the Company against cyber crime.
By educating them to be alert of scams and possible attacks, not doing things (visit "risky" websites, not securing their devices etc that exposes them to possible attacks.
What’s the best coaching that you ever received?
Of interest JLLTechnologies is working together with HR and have jointly developed an on-line Cyber Security education module. This includes a number of secret "on line test attacks" after graduation to ensure that the end-user is remaining vigilant - should the users "fail" the test then they are required to take follow-up courses and their management is also made aware.
When you are hiring new staff, are there any qualifications that you believe are important to look for?
When hiring new staff - naturally we look to confirm that they have the specific technical skills and experience required to perform the role and secondly, and often more importantly, the personality that ensures cohesiveness with the existing team structure. Balancing a team that while continues to ensure a smooth steady state with staff that are willing to "shake up the norm" and disrupt they way we do business.
One of the biggest challenges with a number of our "disruption" hirers is that often the excitement to get new products out the doors often comes at the expense of ensuring adequate security is in place. Managing and balancing this risk is a key task that I work on now.
You are given an opportunity to provide some words of sage advice for Australian Government around Cyber Security – what would you say?
Cyber threats are real and will be the next front in which wars are waged. Take this seriously. Please invest and ensure that our Infrastructure is secure and personal data safe from any possible cyber attack. We don’t want to be Estonia.
Lastly invest in your people - educate the public so they are aware and share the ownership against cyber attacks. Teach them to be vigilant and to be aware of the threats and risks. The damage such attacks can have both physically and materially are both real and substantial.